July 7, 2022 – Our recent cyberattacks against Iran’s steel industry, which is affiliated with the IRGC and the Basij, have damaged these companies that are subject to the international sanctions: the Khouzestan Steel Company (KSC), the Mobarakeh Steel Company (Isfahan) (MSC) and the Hormozgan Steel Company (HOSCO). Today, we are exposing for the first time, top secret documents and tens of thousands of emails from these companies on their customers and trading practices as evidence of these
companies’ affiliation with the IRGC.
The hacker group Gonjeshke Darande reported a cyber attack on Iranian steel producers: Khouzestan Steel Company (KSC), Mobarakeh Steel Company (Isfahan) (MSC), Hormozgan Steel Company (HOSCO). Videos of the aftermath and screenshots from internal systems were released to confirm. The group motivates the choice of targets by the fact that the companies are under sanctions, but despite this they continue their work. The attacks are allegedly a response to Iranian aggression (which is not specified). The posts also emphasize that cyberattacks are carried out so that innocent people do not suffer.
Last fall, Gonjeshke Darande claimed responsibility for hacking Iran’s fuel distribution system, which disrupted the sale of gasoline to the public at preferential prices.
Today, we, “Gonjeshke Darande”, carried out cyberattacks against Iran’s steel industry which affiliated with the IRGC and the Basij: the Khouzestan Steel Company (KSC), the Mobarakeh Steel Company (Isfahan) (MSC) and the Hormozgan Steel Company (HOSCO).
These companies are subject to international sanctions and continue their operations despite the restrictions. These cyberattacks, being carried out carefully so to protect innocent individuals, are in response to the aggression of the Islamic Republic.
Details of a devastating cyber attack on Iran’s strategic metallurgy facilities – Hormozgan Steel, Khouzestan Steel and Mobarakeh Steel – that took place over the weekend, were revealed, the responsibility for which was claimed by the Gonjeshke Darande group.
Researchers were able to locate files associated with the attack, initial analysis of which indicates that the malware dubbed Chaplin is also directly linked to last year’s attacks on Iranian Railways.
The Chaplin.exe executable is a variant of Meteor, a viper seen in attacks on the Iranian railways and government. Both share a common codebase, but Chaplin, unlike Meteor and its previous variants Stardust and Comet, lacks a cleanup feature.
Also, Chaplin does not contain debug logs, but it does include important information about RTTI. It begins its execution by disabling the network adapters, logging the user out, and executing the binary in a new Screen.exe thread.
The file forces the display to turn on, blocks user interaction with the computer, and plays video.wmv using the Filter Graph Manager COM object, and deletes the “Lsa” registry key, preventing the system from booting properly.
The one-frame video matches a photo uploaded by the hackers on social media, displaying the logos of Predatory Sparrow victims: Khouzestan Steel Company (KSC), Iranian Oil Company, Ministry of Roads and Urban Development, Iranian Railways.
As in previous incidents, the hackers left a phone number belonging to the office of Iran’s supreme leader to be contacted.
It is currently unclear if Chaplin has any modules that would allow it to interact with industrial equipment on Khouzestan Steel’s OT network.
Certfa Labs researchers, judging by the video presented by the hackers, suggest that interaction with the industrial equipment of the plant could take place through another channel – through the control panel owned by Irisa, which provides network services and provides industrial infrastructure for Iranian companies.
At the same time, specialists do not exclude that Gonjeshke Darande may still have access to the networks of other organizations.